This community thread discusses the feature or improvement: Facebook & Twitter App Signin Integration.
Feature Details
APG vNext supports sign in Integration with Facebook, Twitter, and Google+. [attachment=socialsignin.png] Enabling Google Login is easy, as y...
How APG vNext Handles Feature Requests
Feature requests and suggestions are tracked through the community forum. The development team reviews popular requests and incorporates the most-requested improvements into upcoming releases.
- Vote for features by upvoting the original post in the forum thread
- Add details about your use case to help prioritize the request
- Check the release blog for updates on upcoming features
See the full feature set on the Features page or browse all community discussions.
Facebook and Twitter App Sign-In Integration in APG vNext
APG vNext supports OAuth-based social login via Facebook, Twitter (now X), Google, and Microsoft. When configured, members can register and log in with their existing social account without creating a separate password. This reduces registration friction significantly - communities with social login typically see 3-5x higher registration conversion.
Facebook Login Setup
- Create a Facebook App at developers.facebook.com
- Add product: "Facebook Login"
- Set Valid OAuth Redirect URIs:
https://yourforum.com/auth/callback/facebook - Copy App ID and App Secret to web.config:
<add key="APG.OAuth.Facebook.AppID" value="your-app-id" />
<add key="APG.OAuth.Facebook.AppSecret" value="your-app-secret" />
<add key="APG.OAuth.Facebook.Enabled" value="true" />
Twitter (X) Login Setup
<add key="APG.OAuth.Twitter.ConsumerKey" value="your-api-key" />
<add key="APG.OAuth.Twitter.ConsumerSecret" value="your-api-secret" />
<add key="APG.OAuth.Twitter.Enabled" value="true" />
Requesting Required Permissions
Request only the minimum permissions needed. For forum login:
- Facebook:
public_profile+email - Twitter:
read(email requires additional Twitter app approval)
Handling Accounts Without Email
<add key="APG.OAuth.RequireEmail" value="true" />
<add key="APG.OAuth.EmailFallbackPrompt" value="true" />
<!-- Prompts member to enter email if provider doesn't supply one -->
Configuring Facebook Login for APG vNext
To enable Facebook login, create a Facebook App in the Meta Developer Portal and configure the OAuth redirect URI to https://yourforum.com/auth/facebook/callback. Add the App ID and App Secret to web.config:
<add key="APG.Auth.Facebook.AppId" value="your-app-id" />
<add key="APG.Auth.Facebook.AppSecret" value="your-app-secret" />
<add key="APG.Auth.Facebook.Enabled" value="true" />
Request the email and public_profile permissions in the Meta App settings. Facebook requires all apps using login to complete App Review before enabling login for users outside your development team. For most community forum use cases, the standard login permission tier (email + profile) does not require additional review beyond the basic app setup. APG vNext uses the Facebook OAuth flow to obtain an access token, fetch the member's name and email, and create or link a forum account — the access token is not stored long-term.
Configuring Twitter/X Login for APG vNext
Twitter (now X) login uses OAuth 1.0a. Create a Twitter Developer App at developer.twitter.com, set the callback URL to https://yourforum.com/auth/twitter/callback, and enable the Read permission. Add the API key and secret to web.config:
<add key="APG.Auth.Twitter.ApiKey" value="your-api-key" />
<add key="APG.Auth.Twitter.ApiSecret" value="your-api-secret" />
<add key="APG.Auth.Twitter.Enabled" value="true" />
Twitter does not share the user's email address by default — to receive the email, you must apply for Elevated API access (free but requires approval). Without email access, APG vNext creates the forum account using the Twitter username and prompts the member to add an email address during their first login.
Merging Existing Accounts with Social Login
Members who registered with an email and password before social login was enabled can link their existing forum account to their social provider profile without creating a duplicate account. APG vNext handles this through an account merging flow: when a member attempts to sign in via Facebook or Twitter and the social provider's email matches an existing forum account, APG vNext prompts the member to confirm their forum password to authorise the link. After confirmation, the social login is permanently linked and the member can use either method going forward. This prevents the common problem of duplicate accounts that occurs when social login is added to an established forum without a merging mechanism. Administrators can also manually link social profiles to existing accounts from the member management page for cases where the email addresses don't match.
Rate Limiting Social Login Attempts
Social login endpoints can be targeted by automated abuse — bots that attempt to create large numbers of fake accounts using disposable social profiles or compromised accounts. APG vNext applies rate limiting to social login callbacks at the same level as standard login: too many failed or suspicious social login attempts from the same IP address trigger a temporary block and CAPTCHA challenge. Configure the social login rate limit in Admin Panel → Security → Rate Limiting → Social Login. For additional protection, enable the member verification step for new social login registrations (Admin Panel → Members → Registration → Verify Social Login Email), which sends a verification email to the address received from the social provider before activating the forum account.
Social Login Security Considerations
When enabling social login, disable password-based login for accounts created exclusively via social auth — these accounts have no password to reset and cannot be compromised through brute-force attacks. APG vNext creates social-only accounts with a randomly generated, non-guessable token rather than an empty password, preventing any password-based login attempts. Configure account linking carefully: decide whether members can link multiple social providers to one forum account, and whether they can also set a forum password alongside their social login. Providing multiple login options gives members flexibility while ensuring they can always access their account even if one provider's service is temporarily unavailable.
Related Resources
Looking for more help? Browse the support forum or check the Knowledge Base.